PyPI now supports digital attestations

PyPI, the repository searched by the pip command for packages, announced it now supports digital attestations – a method for cryptographically verifying a Python package to the repository it came from. This is generally a step in the right direction, but there have been discussions about how this impacts supply chain security. While this can allow for knowing where a package came from it is very important to note that digital attestations only guarantees who a package came from, this would not have any effect on supply chain attacks that target the build process such as the (in)famous SolarWinds attack which was attacked before any form of digital attestation would be created.

The documentation is very clear about this. Still, it will likely fall on security folks to continue to spread awareness that just because a package is digitally attested to does not mean the actual code is any more trustworthy than one that is not. For further reading I recommend the Trail Of Bits blog and the PyPI Security Model documentation.

CISA Under The New Administration

There has been a lot of fear-mongering about CISA being eliminated, while this is undoubtedly a terrible idea, I don’t think it’s something we should entertain as a reality. CISA does a lot of fantastic non-partisan work. The quote being circulated is “I’d like to eliminate it, The First Amendment is pretty important, that’s why we listed it as the First Amendment, and I would have liked to, at the very least, eliminate their ability to censor content online”. It should be noted that while CISA does release information about hot topics such as election security, they have had consistent messaging regarding election security in both 2024 and 2020 elections. Transparency that doesn’t push certain objectives does not equal censorship.

One of the most important reasons CISA is effective is not because it can impose cyber restrictions on companies, but because CISA produces reports and resources security leaders at companies can leverage to drive change in their organization. My absolute favorite use of CISA resources is to take a CISA report, extract all the MITRE ATTACK techniques from it, run those techniques using Atomic Red Team, then analyze the results to understand if this attack would have been caught. If not, that’s a great data-point to use in a report to executive leaders of why additional resources are needed. Here are some of my favorite resources from CISA:

• 2023 Top Routinely Exploited Vulnerabilities
• Review of the Summer 2023 Microsoft Exchange Online Intrusion (Spicy 🌶️)
• CISA Red Team Silent Shield Operation
• CISA Cybersecurity Alerts & Advisories
• Hunting Russian Intelligence Snake Malware

Caught My Eye

• # CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging: You’ve heard of BYOD but have you heard of BYOVM? An unattributed attacker has started delivering a QEMU Linux VM via phishing payloads. Once executed, a legitimate preconfigured QEMU Linux image is run to connect back to attacker C2 infrastructure.
• Time Boxed Penetration Testing: A reminder that most security companies are selling web application pentests that are timeboxed. It is part of your job as a trusted advisor to inform your clients of what outcome they should expect from your service. Don’t sell a web app penetration test as a “comprehensive assessment” if it’s a 40 hour test on a massive application without access to source code.
• Cloud with a chance of not enshittifying: A sane take on the four-way tug of war going on between bsky/mastodon/threads/twitter. I’d like to see a fully decentralized version of Twitter/X, but having used some, it’s clear that it’s not exactly user-friendly and I quickly realized that some sort of algorithm is necessary to make it useful. I’ve been spending a LOT more time in my RSS reader (I use, and recommend, Feedbin).
• Awesome Annual Security Reports: An aptly named list of annual security reports.
• Making Sense OF Kubernetes Initial Access Vectors: I’m very excited about the recent surge in the recent focus on Kubernetes offensive security content being published.

Newsletter

Want this sent straight to your inbox? You can subscribe here to have it sent every Monday morning.